The Department of Homeland Security and its partners have taken significant steps in recent years to formalize the process of sharing cyber threat intelligence (CTI) with private-sector companies and protecting the nation’s critical infrastructure.
Despite these signs of progress, however, the concept of cyber threat intelligence and what it means for agencies and industry remains difficult to define.
Scott Algeier, the executive director of the IT Information Sharing and Analysis Center (IT-ISAC), said in an interview with Federal News Network that cyber threat intelligence is a useful tool for agencies and industry leadership once they’re on the same page about what it entails.
“One of the challenges in cyber threat intelligence at the moment is that there really is no common understanding of what we mean by that term,” Algeier said in an interview with Federal News Network.
While the membership of ISACs consists of private-sector vendors, these ISACs work closely with DHS and other federal agencies on securing national critical functions. Through those partnerships, Algeier said he’s noticed an effort within agencies to share more sensitive threat indicators more quickly.
“We’re seeing this across the government. It’s not always 100% successful. It’s not always as good as we want. I think overall, we’re seeing a lot more engagement from the government to industry, when there are specific threats that they want industry to be aware of,” he said. “We’re seeing more analytical reports from the federal government that are actionable, that provide information that our members can use to manage threats against their networks.”
The IT-ISAC and its partners, for example, have recently worked with agencies that deal in highly classified environments and have been provided malware samples and other sensitive information.
“I think we’re seeing a pretty good our collaboration across the board between industry and government,” Algeier said.
That collaboration, he added, will only improve with time. Within the IT-ISAC, for example, vendors have banded together to form special interest groups focused on security intelligence and sharing best practices on CTI.
“We’re bringing in the lead analysts from our member companies, who have the responsibility for finding the sophisticated [cyber] actors within their environments. They’re sharing with each other about tactics that they use, techniques that they use, how they’re finding incidents,” Algeier said. “And this, of course, serves as a multiplier effect. Now other companies can learn from their experience can learn from what they’ve done.”
The threat intelligence community has also seen greater use of automation and machine learning tools to streamline information sharing, moving away from copying and pasting information from spreadsheets and moving toward rapid machine-to-machine sharing of information.
“I’m hopeful that we can have members share with each other and how they are leveraging those tools, and talking with each other about how they’re implementing AI and machine learning within their environments,” Algeier said. “This knowledge sharing can increase the capabilities across our membership in the future.”
Automation could also free up threat analysts to focus more on how best to mitigate threats once they’ve become known.
“A lot of the requests we’re getting from members is how they can prioritize indicators that we’re providing them. So we’ll be spending some time in the short term to try to assist them with that,” Algeier said.
Beyond the front-line threat analysts, executives both in government and industry have expressed a need for comprehensive strategic, risk-based data to support their decision-making and mitigate operational threats.
“I think it’s important to understand that there’s a larger audience for cyber threat intelligence, and those are the senior-level executives who need to make strategic risk-management decisions,” Algeier said.
In one notable case, civilian agencies will soon adopt a CTI best-practice from the private sector: Vulnerability disclosure policies.
Last month, the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget notified agencies that they’ll soon be required to develop vulnerability disclosure policies, making it clear that agencies welcome good-faith security research on specific, internet-accessible systems.
Algeier said these coordinated vulnerability disclosure programs have been successful in the private sector, and appear to be a step in the right direction for agencies.
“One of the key values of a coordinated vulnerability disclosure program is that it helps mitigate the risk to end-users. If a vulnerability is announced before a fix is available, the end-user is placed at greater risk,” Algeier said. “Coordinated vulnerability disclosure programs help improve the security of systems by helping vendors and government agencies identify and mitigate vulnerabilities.”